gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().

A recent vulnerability in the Linux kernel, specifically in the GTP (GPRS Tunneling Protocol) implementation, has been identified and addressed. This vulnerability, assigned CVE-2025-21865, deals with a list corruption issue known as a "splat" in the gtp_net_exit_batch_rtnl() function. Brad Spengler reported the list_del() corruption splat in gtp_net_exit_batch_rtnl(). []

Commit eb28fd76ca ("gtp: Destroy device along with udp socket's netns dismantle.") introduced a for_each_netdev() loop in gtp_net_exit_batch_rtnl() to destroy devices in each netns as done in Geneve and IP tunnels. However, this implementation could invoke ->dellink() twice for the same device during ->exit_batch_rtnl(), causing the list corruption issue.

    for_each_netdev(net, dev) {
        if (dev->rtnl_link_ops == &gtp_link_ops)
            dev->rtnl_link_ops->dellink(dev, &list_kill);
.BorderSide_effects_OF_calling_gtp_dellink()_more_than_once_is_ok_when_CONFIG_DEBUG_LIST_is_not_enabled_but_it_needs_FIX_when_it_is_enabled

cleanup_net() processes netns A and then B.

2. gtp_net_exit_batch_rtnl() finds the device B while iterating netns A's gn->gtp_dev_list and calls ->dellink().

[device B is not yet unlinked from netns B as unregister_netdevice_many() has not been called.]

3. gtp_net_exit_batch_rtnl() finds the device B while iterating netns B's for_each_netdev() and calls ->dellink().

In such a scenario, gtp_dellink() handles cleaning the device's hash table, unlinking the dev from gn->gtp_dev_list, and calling unregister_netdevice_queue(). Essentially, calling gtp_dellink() multiple times is fine unless CONFIG_DEBUG_LIST is enabled.

To resolve this issue, developers have opted to remove the for_each_netdev() in gtp_net_exit_batch_rtnl() and delegate the destruction to default_device_exit_batch() as performed in bareudp.

For the original report of this vulnerability, refer to Brad Spengler's documentation [].

Vulnerable Linux kernel versions and subsequent resolution patches can be found on the Linux kernel source tree at:
- Linus Torvalds' GitHub repository: https://github.com/torvalds/linux
- Greg Kroah-Hartman's GitHub repository: https://github.com/gregkh/linux

[]: https://lkml.org/lkml/2022/2/13/263
[1]: https://www.kernel.org/doc/html/latest/networking/gtp.html

Timeline

Published on: 03/12/2025 10:15:19 UTC
Last modified on: 03/24/2025 15:41:36 UTC